A year and a half ago, users of the TrueCrypt encryption software were shocked to find the long-time developers had quit, stating that they could no longer continue to develop a standard that contained ‘unfixed security issues.’ Understandably they didn’t reveal what those problems were, as doing so would have made the software’s many users vulnerable, but now, we can report on what those bugs actually were.
Discovered by security researcher James Forshaw, the two vulnerabilities in the system could be used to compromise the machine of a TrueCrypt user. While neither would make it possible to decrypt drives protected with the TrueCrypt software, the vulnerabilities would have allowed for the installation of malware on a user’s machine, which would be enough to potentially figure out their decryption key and other sensitive data.
Even though my #truecrypt bugs weren't back doors it's clear that it was possible to sneak them past an audit
Forshaw later clarified that he didn’t suggest the bugs were put in intentionally to test auditing measures, but that the fact it had passed so many checks suggested that the audits weren’t stringent enough.
For anyone worried about these bugs, the best thing to do is move over to one of the TrueCrypt successors. As ExtremeTech points out, one solution, VeraCrypt, has patched out these bugs and uses the same codebase as TrueCrypt, so should be pretty familiar.
However, that would suggest that these security concerns weren’t necessarily what sent the developers away from their long-time encryption platform. Surely if they were so easy to patch out, it wouldn’t cause them to jump ship. Maybe they contributed to it, but it would seem likely that there are other security concerns that may have yet to be discovered in the code base.
Do you think this sort of bug would be enough to cause the people who had worked on TrueCrypt for so long look to find themselves another gig?